Pull requests in Bitbucket are a great way to share proposed code changes for review and get feedback from your team.  Of course, this typically leads to discussions and feedback in comments, which might result in further changes to the code. While great for improving code quality, feedback via comments can get lost easily. Now, with pull request tasks, you can turn feedback into actionable tasks. Never miss a crucial change. 

To create a task, select Create task within a comment and enter the task info. You can also highlight the relevant text to fill-in the info before you select Create task.

Once you create tasks, you no longer have to search through all of the comments on a pull request to find follow-up items.  You can keep track of all open and resolved tasks with a consolidated list available from the top of a pull request.

If you frequently deliver apps to the cloud, you know every extra step to package and deploy your code introduces risk and can add hours to the process.  Now, with Push-to-deploy support for Bitbucket, deploying changes to your application in App Engine is easy, safe and fast.

You can automatically trigger a deployment of your Java, Python or PHP app to App Engine by pushing code to your Bitbucket repo’s master branch or by merging an approved pull request.   Simply connect your App Engine project to your Bitbucket Git repo.

Visit the Google Cloud Platform blog for the detailed instructions to connect your App Engine projects to your Bitbucket repos.

HipChat notifications from Bitbucket are a great way to keep your team up to date on changes to their code repositories – no matter where they are. For example, your team can receive notifications in the HipChat room you use to collaborate whenever a commit is pushed to the repo. But of course, there’s a lot more happening on your repositories than just new commits. Issues and pull requests are a big part of your development workflow, so with our new HipChat add-on for Bitbucket, we’ve made it dead-simple to send notifications about those too.

Bitbucket’s new HipChat add-on includes the following notifications:

• Commits: when a new commit is pushed, or commented on
• Pull requests: when a pull request is created, commented on, merged, or declined
• Issues: when an issue is created, updated, or commented on

Our new add-on is also easy to install and configure. Just look for ‘HipChat integration’ in the menu when managing your team or personal account. Once the add-on is installed, any administrator of a repository can configure notifications. Notifications can be added or configured when managing an account or managing a repository. When you manage your account, you will be able to view and manage notifications across all repositories owned by the account. When you manage a repository you will be able to view and manage notifications for that repository.

If you’re new to HipChat, be sure to check it out. HipChat is a hosted private chat service for your team. Share ideas and files in persistent group chat rooms, create a new room on the fly, video chat when you need to, share files seamlessly, and more.

As mentioned on Atlassian’s main blog, we’ve decided to end SSL 3.0 support on bitbucket.org in the wake of the newly-published POODLE exploit. Once all the facts were in, the choice was easy, and we acted quickly to address the issue. As our customer, though, you should know why we did what we did.

In the POODLE exploit, a well-placed attacker can trick each end of an SSL transaction into downgrading to an older, insecure, cipher. Once the connection is established, the attacker can become man-in-the-middle and compromise the data going back and forth between server and client.

The exploit relies on both ends’ willingness to communicate over SSL 3.0. If just one end of the transaction is unwilling to cooperate, then the attack fails altogether. Some older browsers or Git/Mercurial clients may not be able to use the newer TLS standard, though – so why did we choose to disable SSL 3.0 outright?

1. It’s the recommended solution to the problem. Möller’s paper describing the exploit goes into further detail here, especially regarding flaws in CBC block cipher padding, but the gist is that SSL 3.0 can no longer be trusted as an encryption mechanism; it’s fundamentally flawed, and it will not be fixed. The optimal solution is to disable SSL 3.0 on our end and force everyone to use some flavor of TLS instead.
2. It has minimal impact on our users. All of the browsers we support can handle the newer TLS encryption standard, as can most of the Git and Mercurial clients that communicate with our servers over HTTPS, and the change has no effect whatsoever on SSH connections.
3. It protects all of our users – even the ones whose stuff breaks because of it. We want to ensure that all of our users’ HTTPS sessions are unaffected by POODLE, so we’ve done the most effective thing to protect Bitbucket traffic from that particular attack (and a few others). We can’t protect our users from other sites, though, so if this change breaks your browser or client then (unfortunately) you need to upgrade ASAP.

The safety and security of your data are our #1 priority, so this change is effective immediately. If you need further assistance, then please contact us at support.atlassian.com.

P.S. If you’d like more background on SSL, Wikipedia has an excellent article.

Bitbucket helps teams build better software through collaboration. Our customers want tools they can trust and software that won’t break under stress or load. Robustness, reliability, and security are very important attributes of our software. But, like any other software, sometimes things may go wrong. Anticipating those situations and building good diagnostics and recovery features in the product is crucial.

Quality at Bitbucket

Our Bitbucket team doesn’t include an army of dedicated testers who would spend weeks before the release to find bugs. That’s inefficient and creates a sub-optimal split of responsibilities that leads to poor quality. Instead, we take a very different approach. Every developer on the team is responsible for the quality of the software. But not every developer is good at testing. That’s why we have a very small team of QA engineers whose primary goal is to enable every developer to do a better job with quality. It is usually achieved through the following tasks:

• Developer education: Help the development team learn best practices for writing high-quality code.
• Risk assessment: Think through all the possible scenarios that can cause the software to break and ensure that developers are aware of the highest-risk areas.
• Trend analysis: Analyze bugs and support requests to spot scenarios that have caused problems, and find ways to prevent similar problems in the future.
• Tool development: Provide test environments and new tools that help the development team ship high-quality software.

That’s why QA in our team stands for “quality assistance” and not “quality assurance”.

The challenges of scale

But it’s not that simple, especially if you’re building high-quality products at ever-increasing speed and scale with a small QA team. As Adrian Cockroft once said “scale breaks hardware, speed breaks software and speed at scale breaks everything!”. There are tons of problems to solve. Most importantly, there is a dire need for innovative approaches and tools.

Good engineering practices

In order to achieve our goals of building quality at scale we use some of the following tactics, which we are happy to share with the Bitbucket community:

• Branching model – Follow a branching model using git that enables the use of pull requests for code reviews. Having a second pair of eyes looking at every code change helps spread the knowledge within the team and spot potential problems early.
• Code documentation – Write code that is self-documenting and as readable as possible. This is crucial for effective collaborative work on the same codebase and helps new starters get up to speed with the code base quickly.
• Comprehensive tests – Create unit tests, system-level integration tests and performance tests to verify the functionality under load and varying environments and scenarios.
• Internal Dogfooding – Demo new features to a large audience of internal users to solicit feedback from different software teams.We sometimes use new features and components for months internally before we release them to our customers.
• Feature flags – Implement new features behind flags that allow us to roll them out slowly, starting with a small group of internal users at Atlassian, and then widening the audience to a segment of Bitbucket users.
• “Blitz” testing – Use a coordinated, short (~1-2 hour) round of exploratory testing of a new product or feature(s) by a group of people from across the company. This gives us extra confidence that we definitely handled all those different use cases.
• Right tools – Use static analysis tools to detect common coding problems. Track exceptions in real time in all of our environments and measure everything to ensure the entire system is working as expected.

This is just the tip of the iceberg. If you’re interested to learn more about how we do QA at Atlassian and if you’re in Austin, TX on 9th of December – join us for meetup and drinks. We’re also hiring, so check out this page if you’re interested.

Post written by Kostya Marchenko, QA Team Lead for Developer Tools at Atlassian

The maintainers of the Git and Mercurial open source projects have identified a vulnerability in the Git and Mercurial clients for Macintosh and Windows operating systems that could allow critical files to be overwritten with unwanted files, including executables.

Because this is a client-side vulnerability, Bitbucket itself is not affected; however, we recommend you update your Git client with one of the published Git maintenance releases (1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) or Mercurial client with the latest release.

If you are also using SourceTree please follow these instructions to update your Git client:

• SourceTree for Windows instructions
• SourceTree for Mac instructions

[Editor’s Note: This is the first of a series of guest blog posts around Bitbucket. This post is written by Will Salcido, CEO & Co-Founder of Bedrock Analytics Corporation. If you are interested in writing a guest post about your usage of Bitbucket, or best practices & tips, please contact us at guestposts@bitbucket.org, and we will reach out to you.]

Will Salcido is the CEO & Co-Founder of Bedrock Analytics Corporation. Will spent over a decade in the field of analytics across several leadership roles at Nestle, Novartis, Ghirardelli & Lindt. He developed analytical software for Ghirardelli that led him to solo-deploy the solution across 11 European countries in 2011. Bedrock Analytics is a data visualization and analytics software company based out of Oakland, CA.

The idea for what would become Bedrock Analytics came to me while I was working in Stockholm, Sweden. After nine international deployments of the analytical solution I had built for Ghirardelli & Lindt, I discovered that nearly all consumer product companies had similar issues working with data. Bedrock’s data visualization software enables consumer product companies to extract actionable insights from retail data. The software fills a skills gap for small to midsized companies and makes larger enterprises more efficient by automating the discovery of insights. Our customer base of consumer product companies spans throughout North America, Central America, and Europe.

In the very beginning, we had a single person with access to the source code that was stored locally. Some of the pain points of not having a hosted repository were versioning issues, development bottlenecks, general risk, and the lack of transparency. It wasn’t until we had a few scares and started hiring additional engineering staff that we began exploring the different hosted repository providers. We tested a few options and after careful deliberation, we ended up choosing Bitbucket.

We chose Bitbucket since it allowed us to collaborate within our development team using the built-in wiki and the “pull request’ workflow, and had the ability to scale along with our company. We recently hired engineering talent in Eastern Europe and Bitbucket allowed us to manage our development projects in an efficient manner. Bitbucket has made it possible to segregate our code in ways that enabled different specialized teams to work in parallel on different portions of our source code while keeping everything organized in a single platform. Most importantly, we are also looking forward to integrating Bitbucket with other Atlassian and non-Atlassian products as we continue to grow.

Our engineers like the fact that Bitbucket offers unlimited private repositories to store smaller ongoing projects. Having the ability to track changes made in each repository has saved the team countless hours. We are in the middle of scaling our processes and Bitbucket has become a critical part of how we are gaining efficiencies within our development team.

Like any fast-growing startup, our company’s greatest advantage is our speed. Bedrock Analytics speeds up with Bitbucket.

It’s been a busy quarter for us at Bitbucket. As you may have noticed, Bitbucket is faster than ever, and even more reliable for our human users, cloning agents, and even for our robot friends who reach on behalf of CI systems and other integrations.

We also have a bunch of new features that have launched recently. Here’s a recap:

Merged pull requests in compare view

It’s often useful to see the pull request history when comparing a branch to master, or between tags. In this way you could see all the features (and fixes) that have been pushed from, say ‘staging’ to ‘deployed’ versions of your application, shown as a list of pull requests.

A tab called ‘Merged Pull Requests’ now appears alongside the familiar ‘Diff’ and ‘Commits’ tabs on all Compare and Branch results to list any pull requests that have been merged into the source, and you can now examine each of these pull requests with a single click.

Introducing ‘Omnibar’ 

Sometimes you just can’t be bothered with your mouse. For the power users of Bitbucket, we’ve created the Omnibar, a one-stop shop for finding the things you want and taking action on them without ever having to leave your keyboard. Your repositories, pull requests, and issues are just a few keystrokes away. Just hit the period key to reveal Omnibar.

Ignore whitespace in diffs via URL

Depending on language and coder style, sometimes you do care about whitespace in diffs. But sometimes whitespace differences just clutter up the diff. Bitbucket now gives you the option to ignore whitespace in diffs.

Whenever you’re on a Bitbucket page showing a diff, you can add “w=1″ to the query string in the URL to force the diff engine to ignore whitespace when comparing lines. On reload, differences in the files where a given line has only unmatched whitespace will not be shown.

Custom tab size via URL

So, how wide should a tab be? It’s a matter of taste, and, if the discussions on our team are any example, of religious conviction. Now you can set all tabs in Bitbucket code displays to the width you believe is best by adding a “ts” query param to the URL and reloading the page.

For example, adding “ts=4″ to the query string of a URL will set the tab size to 4 spaces for all code on that page. The feature is currently supported in Chrome, Firefox, and Safari, but not Internet Explorer due to CSS limitations there.

Emoji Auto-complete

Sometimes, code comments, wiki pages, and readmes are just crying out for emoji. But who can remember ‘Face With Stuck-Out Tongue And Tightly-Closed Eyes?’ (表情(いー))

The many (many) emoji Unicode has to offer can now be entered in Bitbucket by ‘type-ahead’ when you type a ‘:’ followed by any part of the emoji description string (followed by a brief pause then pausing a bit). For example: typing ‘:ast’ will autosuggest a number of matching emoji including ‘:astonished:’ with the astonished face emoticon shown for your selection, ‘train’ will return all sorts of train emoticons.

Improved emoji

And, now, your emoji on Bitbucket are in high-res.

Bitbucket now supports the so-called ‘twemoji’ set used by Twitter and others, which cover the entire Unicode space with emoji in scalable, resolution-independent vectors. Previously, we were using a stagnant set of .png file emoji that simply scaled to twice their source size on high-dpi (including ‘retina’) screens, and didn’t map perfectly with modern Unicode characters. We render our new emoji set as native DOM images, and they look great in all modern browsers, including IE9.

Congrats to the New England Patriots for winning the Super Bowl. And what a heartbreaker for fans of the Seattle Seahawks! But it was a very close game and it could have gone either way. Both teams have a lot to celebrate. Just like any good football team reflects on their accomplishments at the end of the season, the Bitbucket team has a lot to celebrate, too. So we thought it would be fun to look back at what we achieved together in 2014. Thank you for making 2014 our best year yet and here’s to making 2015 even better.

We are proud to announce the integration of several popular cloud IDEs into the Bitbucket experience. You are already managing, building, and deploying your code to the cloud; you can now code in the cloud as well. Your personally-configured cloud IDE and dev environments are now accessible to you on any machine anywhere, all connected to, and, most importantly, integrated with the familiar Bitbucket interface.

Today, we are launching integrations with Codio and Codeanywhere, since they meet Atlassian’s standards of quality and security. Integrations with other cloud IDE vendors will be available soon. You can now click on the repository view of Bitbucket to clone and edit files directly in Codio or Codeanywhere:

Cloud IDEs have come a long way in the past few years. The IDEs we have chosen to integrate with Bitbucket are solid, full-fledged development environments with desktop-quality coding experiences: resizing, context-coloring, navigation, and responsiveness. We believe that many developers will appreciate the code editing features, as well as the more advanced features of some of our partner cloud IDEs – automatic configuration of code libraries and build server & deployment integrations.

Cloud IDE integration is a one-click process. Just select the IDE partner of your choice from your Bitbucket users settings and authenticate. Bitbucket’s repository view page will now contain an additional option in the ‘develop’ menu: Open in your cloud IDE (‘Open in Codio’, for example).

More about our launch partners

Codio

Codio is the cloud-based IDE and publishing platform for teaching computer programming and computer science in schools, universities, and the vocational education sector worldwide.

Codio provides instant coding environments featuring rich code editing, a large portfolio of programming languages & other software components, dedicated virtual servers, advanced features for student administration, and a growing library of course content resources, all accessible anywhere through any browser.

“Codio has always focused on delighting users with instant access anywhere to a powerful web IDE, and with today’s integration we’re thrilled to extend that experience to Bitbucket.”

– Freddy May, CEO and founder, Codio.

Codeanywhere
Collaboration platform for developers. Codeanywhere’s powerful web IDE has all the features of a Desktop IDE but with additional features only a cloud application can give you.

“When Codeanywhere was just starting out, connecting to Bitbucket was one of the first feature requests our users had. Today I am ecstatic that Bitbucket will be integrating Codeanywhere, allowing their users to easily and seamlessly edit and write code, from anywhere.”

– Ivan Burazin, CEO, Codeanywhere.

Teams that use Bitbucket often want to share important information that isn’t part of their project repository – favorite regexes, config files, code snippets, homebrew recipes (beers, and the package manager). And yes – image, audio, video, and a host of other MIME types. Currently, there is no way to share such information via Bitbucket.

Snippets for teams

Today, we’re thrilled to announce Snippets, available now in Bitbucket,  to create and manage multi-file snippets of all kinds. We took a different approach than standard pastebin or gist – we built Snippets around teams. Snippets can be shared with your team, private to you, or fully public; you control read and write privileges. If you create a snippet owned by your team, the snippet will stay with the team forever, even after you leave that team.

Additional features

In Bitbucket, you’ll find a clean, easy interface to create, edit, version, and share Snippets. It’s media-friendly, supports drag-and-drop, and features syntax highlighting for over 90 programming languages.

Because Snippets are backed by Git or Mercurial repositories, power users can clone and edit them like any other distributed code repositories.

Rich set of APIs

You can use Snippets’ rich set of APIs to further extend functionality, and access the core set of features from desktop, mobile, and web apps. For example, this command line interface for creating, inspecting, and editing Bitbucket Snippets uses this python wrapper built on top of the Snippets API. For more info, please visit the Snippets API documentation: Snippets REST API

Snippets via command line

Most importantly, we have made it easy to create Snippets via the command line. Creating a snippet from your local file is just a single curl command:

$ curl -X POST https://api.bitbucket.org/2.0/snippets/{username or teamname} \
-u {username} -F file=@myawesomefile.txt

Got Snippets?

We hope you’re as excited as we are. We look forward to hearing from you in the comments below.

Discuss Snippets on Hacker News

Bitbucket is not affected by the vulnerabilities announced by the OpenSSL project today. Two high severity security vulnerabilities CVE-2015-0291 and CVE-2015-0204 have been announced:

The CVE-2015-0291 vulnerability results in a potential denial of service attack against a server that requests a client’s certificate, which is not something that would happen in most circumstances as it is usually the client that requests the server’s certificate.

The CVE-2015-0204 vulnerability is a reclassification of the existing and well known FREAK vulnerability (CVE-2015-0204 & CVE-2015-1637), which allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

Both vulnerabilities described in the OpenSSL security advisory posted at https://www.openssl.org/news/secadv_20150319.txt do not affect Bitbucket.

Today, we are deprecating support for Digest access authentication, or “Digest auth” on Bitbucket. Digest auth support is currently slated to be turned off on May 1st, 2015.

What is Digest authentication?

Digest auth (RFC-2617) is one of the older standardized methods of authenticating HTTP requests that was used to avoid sending a password in clear text, and to prevent replay attacks. Over unsecured channels it was (in the late 90s and early 00s) a much better approach than traditional Basic Auth. We have always offered Digest auth — currently under SSL only — as an alternative to Basic auth, but today very few users use it.

Why are we deprecating it?

Over the past couple of years, as SSL-only sites became the norm, having this end-to-end encryption has effectively made Digest auth obsolete. Today, Digest auth under SSL offers nothing over Basic Auth except added complexity and, in most cases, an additional round trip to request the necessary auth challenge.

Bitbucket has been SSL-only for years and we have been planning to deprecate Digest auth. In recent years, Bitbucket’s Digest auth support has been limited to select endpoints, and aimed at providing backwards compatibility with older clients only.

Next steps

As of May 1st, clients that exclusively support Digest auth will cease to work. This might affect some older curl-based scripts that use the `–digest` parameter. Simply removing that parameter will make curl use Basic auth (over SSL, of course) instead. For all users, we recommend using one of the more modern auth methods available.

Hi, I’m Sean, the newest member on the Bitbucket team. I currently work on Mercurial but come from a scientific background with the PETSc team. My responsibilities here are working on the backend but what I’m most excited about is improving Mercurial support.

I’ve been a contributor to Mercurial for about three years and have loved Mercurial for its human-friendly user interface and supportive community. Some of my work for Mercurial includes the addition of namespaces and improving the in-memory context object. I also wrote the experimental remotenames extension (to be added to core Mercurial in the future) and the most fun smb extension.

The future of Mercurial

In my time with Mercurial, I have seen it grow in fascinating ways. These include the concept of changeset evolution coming to life and the announcement of Facebook choosing Mercurial over Git. The future of Mercurial is that of scalability and because of that, I believe the best days of Mercurial are ahead.

Mercurial 3.4 Sprint at PyCon

Here at Bitbucket, with the support of the team, I’d like to build up relations with the community and the first step was attending the Mercurial 3.4 Sprint at PyCon in Montreal this year. There were many topics discussed: new manifest version, narrow checkouts, commit signing, obsolescence marker exchange, evolve UI, reflog equivalent, new path options, and remote bookmarks. Of these topics, manifests received the most attention. A new manifest format means we can enable checkouts of only a subdirectory (called a ‘narrow’ checkout). On top of that, it opens the door for only retrieving a truncated history (called a ‘shallow’ checkout). My personal favorites are the inclusion of remote bookmarks that will be built on top of the journal i.e. reflog equivalent, and the new path features i.e. the ability to define a custom revset for pushing to a particular path.

Here are some pictures from the event (photos by Ryan McElroy and me):

Celebrating Mercurial’s 10th anniversary

Now that I am here, with the support of Atlassian and the Bitbucket team, we will be improving relations with the Mercurial community by hosting many events this year. We begin with celebrating Mercurial’s 10th anniversary on Wed, May 6th by hosting the first official Bay Area Mercurial Meetup at Atlassian’s San Francisco office. We will have speakers from Google to talk about scaling Mercurial and Facebook to talk about why they picked Mercurial as the version control system and what this means for the future of Mercurial. Register immediately if you are interested since we can only accommodate 100 attendees. We look forward to seeing you next week with the rest of the Mercurial community.

[*Note: An earlier version had accidentally stated that Google had chosen Mercurial over Git but that is untrue. Google is working on Mercurial scalability, but also uses Git and contributes to Git development.]

More than 3 million developers and 450,000 teams use Bitbucket to manage and collaborate on source code. But code collaboration is only a fraction of what software teams do on a daily basis to ship software.

Nowadays, shipping great software involves constant context switching using tools that don’t integrate tightly. Even when integrations are made, toolchains have to be painstakingly maintained on an ongoing basis with reams of messy bespoke integration code that has to be regularly re-written.

This is a challenge that development teams face every day. Most integration architectures available right now in the software industry only partially solve the problem. They only provide simple integration points that prevent teams from creating deeper integrations and a more unified workflow.

Not your average platform

To solve this problem, we’ve re-engineered Bitbucket into a platform that helps remove the interrupt-driven workflow and brings all the information to ship software in one place. Atlassian Connect for Bitbucket provides an integration architecture that embeds your add-ons right within the product UI creating a more unified workflow.

Here is a demo of code search enabled by the add-on built by Sourcegraph:

Why build using Atlassian Connect for Bitbucket?

If you’re still wondering why you should build an add-on using Atlassian Connect for Bitbucket, here are three reasons:

1. Atlassian Connect is a next generation extensibility framework, providing much deeper integration than what is offered by standard REST APIs and webhooks.
2. Add-ons are straightforward to implement. You can build an add-on in any language, on any stack, using any interface.
3. You also can distribute your great add-ons to more than three million developers and 450,000 teams using Bitbucket.

Add-ons available for early preview

We couldn’t launch an integration platform without the help of the community. Here are previews of add-ons currently available on Bitbucket:

• Cloud IDE: Codeanywhere, Codio
• Code quality: bitHound, Codacy
• Code search: Sourcegraph
• Code analytics: StiltSoft
• Deployment: Aerobatic, CloudCannon, Platform.sh
• Crash and exception handling: Rollbar
• Rapid integration: Wittified

If you are currently a user of Bitbucket and want to take a sneak peak, click on your avatar, select “Manage Account”, and simply install these new add-ons by selecting “Find new add-ons” from the left menu.

Get started with Atlassian Connect for Bitbucket

It is now super-easy to extend Bitbucket so that you have the best workflow for your team. Click here for documentation to get started with Atlassian Connect for Bitbucket.

We look forward to seeing what exciting and interesting add-ons you build using Atlassian Connect for Bitbucket. Imagine the possibilities – happy developing!

Bitbucket webhooks are used by teams every day to test, analyze, deploy, and distribute great software to millions of people.

As Bitbucket webhooks are one of our most popular integration points, we’ve had the opportunity to gather lots of feedback regarding our webhook payloads, usage, and integrations.

We’ve listened to the community (check out public issues #7775, #5938, #4467, #6545 + more) and collaborated with CI vendors to make crucial improvements to this process.

We’re proud to announce the new Bitbucket webhooks.

The new webhooks can be accessed in your repository administration settings as shown in the image above. The webhooks provide a host of improvements over the previous, and soon-to-be deprecated “POST and Pull Request POST” hooks, which have now been renamed to “Services”.

Let’s look at some of the improvements and attributes of the new webhooks.

Fuller, more descriptive payload

Bitbucket webhooks now send more comprehensive information in the payload. For example, a repo:push event now includes detailed payload information about each and every reference that was updated:

Please visit our payload documentation for more examples of changes and improvements.

Better controls

We’ve added fine-grained control over the events you want to receive hooks for, such as repository, issue, and pull request events:

Improved troubleshooting

You can now troubleshoot malfunctioning webhooks more easily by reviewing the recent requests, including status codes and response times:

Connect-ed

The new Bitbucket webhooks have been written from the ground up as a Connect add-on using our Atlassian Connect for Bitbucket platform, leveraging the same APIs for building powerful add-ons for extending Bitbucket.

Onward!

This is just the beginning. We’ve got more features on the way, such as viewing request details (headers, event payloads, etc.), retrying requests, advanced queuing, and much more.

If you’re currently integrating with the old webhooks (renamed to “Services”), these will be deprecated soon. Please visit our payload documentation for the new payload descriptions.

Take the new Bitbucket webhooks for a spin – you can configure them in your repository settings. Are you inspired to build new, exciting integrations?  Clone our webhook-listener demo project to quickly get started with Bitbucket webhooks.

This guest post is written by Dan Silivestru, CEO & Co-Founder of bitHound. Dan is a seasoned entrepreneur with over 15 years of experience in the field of software and technology. Previously, Dan was co-founder and CTO at tinyHippos, acquired by BlackBerry in 2011. Dan spent two years as an Executive in Residence (EIR) at Communitech, applying his expertise to mentor and advise startups. In late 2013, Dan co-founded bitHound Inc., a code insights startup in Kitchener, Ontario.

At bitHound we are passionate about helping developers better understand their code so that they can build great software. Building software involves making many decisions that can ultimately affect your outcome. By gaining insights into the impact of those decisions, bitHound helps developers deliver in a more reliable and secure fashion.

The development process and bitHound

Having spent our entire careers building software and working as developers, CTOs, and everything in between, we’ve lived the pain associated with building and delivering great software. We asked ourselves, “What if we could look at all of the data we generate: the code we write, the comments we make, the dependencies we use, and provide real, objective insights into the health of the software we’re creating?” And so bitHound was born.

What we do at bitHound

bitHound is code insights for your JavaScript, TypeScript, and JSX projects. We aim to keep you, the developer, in the driver’s seat: decide what and how you want to build software and who you want to build it with. Getting started with bitHound is simple. Login with your Bitbucket account and choose a project. It’s as simple as that.

Our insights arm you with the information you need to make educated decisions about whether or not your code is ready for production. These insights include vulnerabilities in your npm packages, developer identified tech debt, your most problematic files in your codebase, and more.

Earlier this year, we introduced support for Bitbucket on bitHound. The response from the Bitbucket community was overwhelmingly positive so when we were approached by Atlassian to build an add-on for the new Atlassian Connect for Bitbucket platform, we immediately got on board.

Atlassian Connect for Bitbucket

bitHound strives to work with developers in their existing workflows, delivering insights when needed. With our add-on for Atlassian Connect for Bitbucket, we can deliver on that promise. Review bitHound insights right in your repository without leaving Bitbucket.

Atlassian sees the pain point developers face with constant switching between tools that never seem to integrate seamlessly. As such, we are really excited they’ve brought Atlassian Connect for Bitbucket to market so bitHound can become part of that ecosystem to help developers build remarkable software.

Get started with the bitHound add-on

If you’re interested in getting started with the bitHound add-on, simply go to your Bitbucket settings and look for bitHound in the Find new add-ons section.

We’re thrilled about this integration. Stay tuned for more to come!

This guest post is written by Ivan Storck, Director of Developer Relations at Aerobatic. Ivan has been programming, teaching, and leading startups for 20 years. He founded two training companies, a web hosting company, and taught at the University of Washington.

At Aerobatic, our mission is to empower front-end developers to innovate faster – less time spent thinking about infrastructure, more time spent developing amazing customer-facing experiences; less time spent building and maintaining custom toolchains, more time spent innovating with clients; less time switching contexts between disparate tools, more time spent coding in a seamless flow.

In this post, I’ll show you how to build a form that posts notifications to HipChat using the Aerobatic add-on for Bitbucket. It’s simple, and no server-side code will be required.

Do you have the time to be a full-stack developer?

Like many of you, I moved from server-generated web pages in PHP or Rails, to Single Page Apps (SPA). There is only one choice for the language: JavaScript, but there is still a lot to keep track of. I’m capable of creating a virtual server, Docker image, database setup, node API, or whatever I need. I can add in the JavaScript flavor of the month, from Backbone to Angular to React.

Lately, however, I have been asking the question, do I need to know all of this? Do I even have the time? What do I enjoy the most? The answer is that I love to create online products that are beautiful, useable, and technically well-crafted. The front-end is a big enough world for me to do that. But I don’t want to lose control of the back-end, or need to team up with others to get simple apps done. Realistically, my back-end needs can be simple, and similar to many other people.

Many of you may host your static sites on Amazon S3, and manually configure CloudFront CDN via the (confusingly large) Amazon Web Services interface. But this gives you no chance at a back-end. Others code a simple node server and publish it to a PaaS provider, but this means you write boilerplate back-end with a basic REST API yet again. Maybe you even have a puppet/chef/Docker script to spin up your own virtual server, but then you’re stuck upgrading it whenever a security patch is released. What if you didn’t have to worry about all this stuff? And if you didn’t understand any of the jargon in this paragraph, doesn’t that kind of prove my point?

The Aerobatic add-on for Bitbucket

Whether you have a Jekyll blog, a static site documenting your open-source project, or a full-featured web app built with a framework such as AngularJS, Ember, or React, you can now edit your code, push your changes to Bitbucket, and your site will be deployed automatically. Assets are automatically hosted on a content delivery network (CDN) so that your site visitors will see the site faster. You can also have a custom domain point to your Aerobatic site with a DNS CNAME record.

Express Request Proxy

Expanding our core hosting service for Bitbucket developers, Aerobatic is happy to introduce a custom webhook plugin for static site apps called Express Request Proxy. This means that you can call APIs on the internet without worrying about cross-origin resource sharing (CORS) policies or leaking secret keys to the client. You can even contribute your own plugins to the 4Front open-source project, which powers our back-end.

The Express Request Proxy plugin is a high performance, intelligent proxy that supports proxying AJAX requests to remote HTTP endpoints. In addition to simple pass-through proxying, it also supports caching, parameter injection (to query string, path, and body), as well as response transforms. In the package.json virtual router setup, you can define one or more instances of the proxy plugin.

The Express Request Proxy is available now in the Aerobatic Bitbucket add-on. Other plugins that will soon be supported include custom error pages, form processing, authentication, and more.

Post to HipChat from your web app with Aerobatic

I’ll walk you through using the Aerobatic Express Request Proxy to set up an integration with HipChat (a popular chat app). We will create a simple web app. It has a form that posts a message to a HipChat room using the HipChat API.

HTML page – index.html

Below I set up a basic index.html with a form, include main.js, and the simple Skeleton CSS framework.

Main.js

Here’s the meat of the app – It processes the form and sends the data via AJAX. I decided to use vanilla JS , and not to use jQuery, because what I’m doing does not need the whole library.

Configuring the Express-Request-Proxy plugin

You might have noticed that I posted to a local endpoint ‘/hipchat’. Where does that come from? Here, in package.json, you can specify the plugin options. It’s all in the _virtualApp section.

The Aerobatic section is called _VirtualApp because much like a virtual server, you can host multiple apps on an Aerobatic installation. The router section specifies how various paths in your application work. Each path matches a module. You’ll notice that in the “path” argument, there is a parameter called “:room” The actual value is contained in our client JavaScript in main.js. You’ll change that room value to be the room name or room ID that you wish to post to.

Configuring the environment variables for secrets

You need to get an access token from HipChat. This token should be kept secret. It’s not something you want to check into Bitbucket for the public to see. Even if you have a private repo, it should not be kept in a file, in case you decide to open-source the repo later. The Aerobatic plugin for Bitbucket has the ability to store environment variables, which is a good place to store authorization secrets.

Get your token

Visit https://www.hipchat.com/docs/apiv2/auth and get either a personal access token, or an integration token, depending on whether you are doing this for just yourself or a team.

We will follow the personal access token path here. You will get asked to log in to your HipChat account next.

After that, you must choose an access scope for your token. To post to a HipChat room, you need ‘Send Notification’

The page will refresh and you should see your token appear above the form. Copy it to your clipboard for now.

• We will next set up the send notification auth token as an environment variable.
• The URL that Hipchat expects should look something like: https://api.hipchat.com/v2/room/ROOM_ID_OR_NAME/notification?AUTH_TOKEN=83b2519555c3894f2d099bac

We had specified the name of the environment variable in package.json as HIPCHAT_AUTH_TOKEN. Now we need to add it to your Repo Settings on Bitbucket.

The following section assumes you have already installed the Aerobatic add-on, linked your repo to Aerobatic, and that you are an administrator of the repo:

• Go to your repo on Bitbucket, then click “Settings” from the left side menu.
• Then scroll down to Aerobatic Hosting, and click “App Settings”.
• In the Environment Variables section, fill in HIPCHAT_AUTH_TOKEN on the left and your unique auth token on the right

Try it out for yourself!

• To install the Aerobatic add-on, go to the Bitbucket Add-On Directory.
• Additional information can be found on our Knowledge Base and blog.
• The code for this tutorial is hosted in the AeroHip Repo.

Let us know how it’s working for you — and if you run into any roadblocks. Visit our version of this demo app to drop us a line!

Bitbucket just added different levels of access to its APIs, enabling add-on and integration developers to request read, write, or admin access to repos, issues, wikis, and snippets. For Bitbucket users this means that add-ons and integrations now only get the level of access they actually need.

More details can be found in Bitbucket documentation.

Why OAuth2?

Our previous OAuth1 implementation provided only all-or-nothing access to resources. As a developer building integrations or add-ons, you had less control. Additionally, some operations that were not possible via OAuth 1, such as cloning, are now possible via OAuth2, enabling a new set of add-on and integration functionalities.

How do I use OAuth2?

OAuth2 is available within webhooks, REST APIs, and Atlassian Connect for Bitbucket. When you register your application (add-on or integration) with Bitbucket you become an “OAuth consumer”. OAuth 1 consumers that have been previously instantiated have been grandfathered into all-access. However, all new consumers will now need to specify the scopes requested, with a much more granular set of scopes available now for both OAuth options.

How does it impact me if I am a Bitbucket user?

You have complete control and visibility over what levels of access are granted to resources and repositories when you plan to use a certain integration or add-on. You may choose to grant access via a page similar to the one shown below:

You can also revoke access easily via “OAuth” under “Access Management” on your Settings page as shown below:

Please upgrade to OAuth2

We encourage all developers of Bitbucket integrations and add-ons to upgrade the authentication mechanism they’re using to scopes and OAuth2 wherever possible.

Happy coding!